Cryptology ePrint Archive: Report 2014/323

Some Remarks on Honeyword Based Password-Cracking Detection

Imran Erguler

Abstract: Recently, Juels and Rivest proposed honeywords (decoy pass-
words) to detect attacks against hashed password databases. For each
user account, the legitimate password is stored with several honeywords in order to sense impersonation. If honeywords are selected properly, an adversary who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing storage requirement by 20 times, the authors introduce a simple and effective solution to detection of password file disclosure events. In this study, we scrutinize the honeyword system and present some remarks to highlight possible weak points. Also, we suggest an alternative approach that selects honeywords from existing user passwords in the system to provide
realistic honeywords – a perfectly flat honeyword generation method – and also to reduce storage cost of the honeyword scheme.